Post on 12-Mar-2018
SESSIONID:
#RSAC
AdamShostack
Securingthe“WeakestLink”UsableSecurityLessonsFromStarWars
HUM-R05
@adamshostack
#RSAC
Intheroom,therewasvideofrom“StarWars”(fairlyused!)
It’stheboardroombriefingscene
Thegeneralsays“ThisbaRlestaSonisnowtheulSmatepowerintheuniverse,”
Vaderresponds“Don’tbesoproudofthistechnologicalterroryou’vecreated”
Myrealslideistoobigtodistribute
Lord Vader Was Right
USING THE FORCE• Computersecurityisaboutpeople
• PeopleareamoSvatedandstrugglinglink
• Weignorethehumanelementatourownrisk
AGENDA• Some threat models
• How we make it worse• How people are exploited
• How to make it better
#RSAC
AThreatModel
#RSAC
” “ Given a choice between
dancing pigs and security the user will pick dancing pigs every time
ABadThreatModel
#RSAC
AnEvenWorseThreatModel
8
Declaretheproblemunsolvable!
OMGNOTOURFAULT!
Webproxies?RemoteDesktops?
LearnedHelplessness!
#RSAC
PeopleGetTricked:AThreatModel
9
HumanacSon(s)tochangethecomputer’sconfiguraSonNormalbehaviors
NoaRackersays“nowaddakeytotheregistry”becauseFAIL
Thecomputerhasachancetointervene/miSgateWarnings
Sandboxes
Architecture
#RSAC
HowPeopleAreTricked
CredenSalexposure(includingphishing)
IntenSonallyrunningorinstallingso]wareCodecs,doppelgangersand“Microso]Support”callsPiratedso]warewithextras
Accidentalso]wareexecuSonFileextensionhiding,icontricks(Salaries.xlsx.exe)Documentswithexploitpayload
Webfakery—clickjacking,XSRF,etc
#RSAC
HowPeopleAreTricked:Scamicry
11
Scamicry:Whenrealmessagesimitatescams
Peoplehaveasecuritygoallike“examinelinkscarefully”Storesendsemailwith<ahref=“http://cts.vrecc.com/ls?39389ee28a/64f53b0c9c/http%3A%2F…>SafeOnlineBanking</a>
Bankcallsandasksforyourpassword
“Butit’sthebank...I’mnotsmartenoughtounderstandthis”
#RSAC
HowPeopleAreOverwhelmed
12
Advicethatcan’tbefollowedinreasonableSme“ReadTOS,privacypoliciestounderstandhowwe’lluseyourdata”
AdvicethatrequirestoomuchskillSolvethiscaptcha!
ComplexityanddepthWhydoyouneedalongpassword?
Letmeexplainpasswordcracking…hRp://www.seosmarty.com/impossible-captcha-it-doesnt-really-maRer-if-you-are-human-or-not/
#RSAC
YouCanMakeItBeLer
#RSAC
FirefoxMalwareWarning
14
#RSAC
ChromeMalwareWarning
15
#RSAC
7.2%(FirefoxMalware)
23.2%(ChromeMalware)
9.1%(FirefoxPhishing)
18.0%(Chrome)
RealWorldClick-throughRates
AliceinWarningland:ALarge-ScaleFieldStudyofBrowserSecurityWarningEffec<veness
#RSAC
ThreatModeling&People
17
Amodelofthesystembeingdeveloped(whiteboard,DFD)
Amodelofthethreats(STRIDE,aRacktree)
[New!]Amodelofthepersonusingtheso]ware
#RSAC
ThreatModelingandPeople
18
#RSAC
ThreatModelingandPeople(2/2)
19
Amodelofthepersonusingtheso]wareBehavioristandcogniSvescienceKahneman’sSystem1/System2Reason’s“StrongHabitIntrusion”
ModelsforusablesecurityEllison:CeremoniesCranor:HumanintheloopSasse:ComplianceBudget
#RSAC
ThreatMi]ga]ons/PaLernsThatWork(So^waredevelopers)
20
#RSAC
WinbyBuildingbeLerdefenses
2KeypaRernsinInternetExplorer8+
NotwarningoneverydownloadPeoplebecomehabituated,clickthrough
Notmakingthedangerouschoicethedefault
#RSAC
PaLerns:GoldBar
• AppearsinOffice,IE,Firefox,elsewhere
#RSAC
EngineerNEATWarnings
NEATisaneasywaytorememberkeysecurityUXguidance
NEATNecessary,Explained,AcSonable,Tested
Philosophy:Don’tinvolvethepersonifyoudon’thaveto
Ifyouinvolvetheperson,enablethemtomaketherightdecision
Doesthepersonhaveuniqueknowledgethesystemdoesn’t?
#RSAC
NEATWarnings:Necessary
AvoidinterrupSngtheuserwithsecuritydecisions,ifpossible
Whenpossible,automaScallytakethesafestopSonand,opSonally,noSfytheuserthatotheropSonsareavailable
IfpeoplehavenocourseofacSon&nouniqueknowledge,youshouldre-architectproduct
#RSAC
NEATWarnings:Explained
ProvidetheuserwithalltheinformaSonnecessarytomaketherightdecision
6keyelements:SPRUCESource:Whereisthisdecisioncomingfrom?Process:Whatstepsshouldtheytaketomakethedecision?Risk:Whatisthesecurityriskofgeongthedecisionwrong?UniqueKnowledgeUserHas:Whatdoestheuserknowthatwedon’tthathelpsmaketherightdecision?Choices:WhataretheiropSons?Whatdowerecommendtheydo?WhatwillhappenwhentheychooseeachopSon?Evidence:WhatinformaSonshouldtheyfactorin?
#RSAC
Good(long)exampleofexplana]on
Source
Risk
Choices
Process
#RSAC
27
ClearinstrucSon
ARracSvepreferredchoice
UnaRracSvealternatechoice
FromtheGoogleChrometeam—“ImprovingSSLWarningsComprehensionandAdherence”byAdriennePorterFelt&manycolleagues
Explana]on:OpinionatedDesign
#RSAC
NEATWarnings:Ac]onable
EnumeratescenariosatdesignSmeStepsthepersonmusttakeFigurethemoutWritethemdown
WordingcanbeatrickybalanceToowordy,peoplewon’treadorunderstandNotenoughinformaSon==notacSonable
#RSAC
NEATWarnings:Tested
ValidateyourSecurityUIwithrealpeopleBenignandmaliciousscenarios
WholearsenalofUItesSngtechniquesRangefromempaneling1000sofpeople,totesSngdozensinusabilitylab,toaskingcoworkersdownthehall
Applywhatyoucan
Usertestsarealwayssurprising
#RSAC
NEATWarnings:WalletCards
hRps://blogs.microso].com/cybertrust/2012/10/09/necessary-explained-acSonable-and-tested-neat-cards/
#RSAC
DefensivePaLernsThatWork(Opera]ons)
#RSAC
SpendYour“Budget”Wisely
32
PeoplewanttogettheirjobdoneTheyexpendefforttodoitsafely—toapoint
Whatdoyouwantthemost?ArepasswordchangesworththeSme?
Doyoupatchduringthebusinessday?
MakeiteasyandfasttodowhatyouwantthemostGreatopportunitytolearnfrommarkeSng&UIexperts
#RSAC
Example:AdviceYouGive
33
Emailisathreatvector
Howwelldoyouhelpemployeesmanageit?Prevent:IsiteasytoseewhoanemailislegiSmatelyfrom?
Howo]endoyourvendorsemailemployeeswithdemands?
Detect:Howeasyisittoreportsuspiciousemails?
Respond:Howquicklydoyourespondtothosereports?Totheoriginator?Totherecipient?
Areyoubreakingyourownadvicewithscamicry?
#RSAC
UsabilitymaLerstalkingtoexecu]ves
34
ExecuSvesareskilledatmanagingrisks
WeshowupwiththewrongmessagesCompliancerequirements
“Phonebooks”ofrisks
“CyberDefenseMatrix”isagoodstepSounilYu’stalk“UnderstandingtheSecurityVendorLandscapeUsingtheCyberDefenseMatrix”(PDIL-W02F)
#RSAC
ApplySlide
35
Don’tgiveintothedarkside
AvoidconfusingpeoplewithscamicryorimpracScaladvice
Usedefensiveso]warepaRernsGoldBarDefaultSafeNEAT
BuildoperaSonsforrealpeople
Shareyourwork
#RSAC
Ques]ons?Thankyou!